Stagefright Poses Serious Risks One Year After It First Surfaced

ANALYSIS: One year after the Stagefright Android flaw was first reported, its effects are widespread. More than 100 related flaws have emerged and hundreds of millions of users remain at risk

On July 27, 2015, news broke about Stagefright, a vulnerability in Android. A year later, it’s clear that Stagefright has had a major impact on the mobile security world—more so than other vulnerabilities in recent memory.

The Stagefright flaw isn’t just a single issue even though a year ago it wasn’t entirely clear how much of an impact the vulnerability would have. Stagefright, a reference to the libstagefright media library in Android, was found by Joshua Drake, vice president of Platform Research and Exploitation at Zimperium, to be vulnerable to exploitation.

Still at risk

When I first spoke to Drake a year ago, he explained to me that the Stagefright issues were in large part integer overflows that lead to potentially exploitable memory buffer overflow conditions. The danger was that hundreds of millions of Android users were at risk from the issue, and unfortunately, a year later, hundreds of millions of Android users remain at risk.

The initial set of Stagefright vulnerabilities were publicly disclosed at Black Hat USA 2015 and led Google to rethink its process for Android security, ushering in a new monthly cycle for Android patch updates. As it turns out, the initial Stagefright issues Drake disclosed were not the last libstagefright flaws, and he wasn’t the only security researcher to find stagefright-related flaws.

Drake told me that, over the course of the last year of Android updates, Google has issued patches for 115 media server-related CVE (Common Vulnerabilities and Exposures) flaws. Of those, 49 were found directly in libstagefright, with 35 in libmedia and 31 in libraries on which libstagefright depends. The number of Stagefright-related flaws in the past year came as a surprise to Drake.

android“I expected shoring up the larger problem to take an extended and large effort, but I didn’t expect it to be ongoing a year later,” Drake said. “I think Google has their Android Security Rewards program to thank for many of the discovered and fixed issues.”

The Android Security Rewards program, a bug bounty program for Android, is really serving its purpose, Drake said. In June, Google disclosed that it hadpaid out $550,000 in bug bounties in the program’s first year. Google paid Drake approximately $50,000 for his Stagefright-related disclosures.

While Google has been patching Stagefright and related media server flaws for a year now, not all Android users update their devices and not every Android device gets updated. That window of vulnerability doesn’t necessarily translate into widespread exploitation although that risk does exist.

“We believe that Stagefright-type vulnerabilities have and likely are being used in targeted attacks,” Drake said. “However, the nature of a targeted attack makes detection difficult.”

Drake’s employer Zimperium has detection logic for Stagefright in its product platform, and customer data does shows several detections of Stagefright-related anomalies

Zimperium has benefited from the Stagefright disclosure, which helped raise the company’s overall profile. In June, Zimperium announced a $25 million Series C round of funding, bringing total financing to date for the company up to $43.5 million.

While Stagefright-related flaws remain an issue in the current generation of Android devices, Google has pledged to make significant improvements in the upcoming Android N release cycle. That said, Drake’s view is that Google is likely not going to back-port media server isolation improvements from Android N to earlier Android releases.

“Google sort of abandons older versions of Android, and only provides security fixes for them,” Drake said. “This fact, combined with the practice of shipping security improvements in new major releases only, underscores the need for faster adoption of new major versions of Android.”

While Drake’s discovery of the Stagefright flaw in 2015 has had an obvious impact on Android, Drake did not win and wasn’t nominated for a Pwnie award at Black Hat in 2015, due to timing issues. For 2016, that situation is very different. The Pwnie awards are a somewhat whimsical award, but they are still valued for notoriety.

For 2016, Stagefright is nominated for multiple Pwnie Awards, including the Pwnie for best server-side bug, best client-side bug and most over-hyped bug. Drake tells me that he doesn’t currently have an acceptance speech prepared, but if he wins, he will say something on the spot.

“It’s been such an eventful year industry-wide that there’s serious competition in every category,” Drake said. “I would not be surprised to leave Vegas without a golden pony at all.”

While I have no insider insight into whether Drake will win a coveted Pwnie award, I do know that I’ll be in the room to cheer him on regardless—for his contribution to information security and discovering the bug that literally changed the mobile security landscape for a billion people.

Originally published on eWeek.